Sextortion Scam Now Includes Ransomware

11 December 2018

Sextortion scams are known for been incredibly pervasive with the use of social engineering methods in an attempt to blackmail victims. These scams (for example "I am a spyware developer" or "I have bad news") often take the form of an email allegedly sent by a hacker which informs the victim that the hacker has compromised the victim’s computer and has managed to steal compromising information. This information, for example, may allegedly be of the victim watching pornography, is then threatened to be released within a time frame is the hacker does not receive a payment, usually in cryptocurrency, before the time deadline.

Security researchers at Proofpoint have discovered such a campaign which ultimately leads to a ransomware infection as well. Researchers published their findings in an article which details how a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware.

Sextortion and Ransomware Together

This is not the first time researchers at Proofpoint have encountered the AZORult stealer, with stealers been the term to describe a trojan whose primary role is to steal important information without being detected. Originally detected in 2016 as part of a secondary infection via the Chthonic banking Trojan, the stealer has evolved consistently since then and instances of the stealer had to be witnessed been dropped via exploit kits as either primary or secondary payloads. In July 2018, the stealer again was updated to include better antivirus mitigation techniques and the Hermes ransomware. While the GandCrab ransomware will be familiar to readers as the authors released a decryption tool for those living in war-torn Syria. Later Europol and researchers at Bitdefender released a decryption tool for the majority of GandCrab versions seen in the wild.

The latest campaign was seen on December 5, 2018, and at first, a glance would resemble a typical sextortion campaign. Thousands of spam emails were sent to addresses primarily residing in the United States of America with the sample mail provided by Proofpoint showing that a URL was included that resolves to jdhftu[.]tk. The URL supposedly takes the victim to a presentation showing them a video of the compromising activities or so the hackers want the victim to believe. However, it actually leads to AZORult stealer malware, which, in turn, installs GandCrab ransomware, version 5.0.4 with affiliate ID “168;777”.

The campaign is dependent on several factors for success. The first being the successful combination of multiple layers of social engineering techniques. These are meant to instill fear into the victim and get them to click on the malicious URL. Another method employed by the hackers to scare the victim is the hackers stating they have compromised the victim's email password. Researchers argue that this may be a bluff as the email address, in this case, appears to be the same as the email account. If the victim clicks upon the link and the GandCrab ransomware is installed the version installed will demand a ransom of 500 USD in either Bitcoin or DASH cryptocurrency.

Defending Against Such Scams

Sextortion scams, regardless of whether it includes ransomware or stealers, are not a new occurrence and prey on those things we may be embarrassed about others knowing. It is important to remember that the vast majority of such scams are a sham. The hackers and cyber-criminals attempting such scams more often than not do not actually possess screenshots or video of any compromising activity. A quick look at recent scams seems to prove this. In July of this year, Krebs on Security published an informative article on the matter in which the scammers attempted to blackmail victims in the same method mentioned above. What made this instance interesting is that the scammers employed some kind of script that draws directly from the usernames and passwords from a given data breach to scare victims into thinking they were indeed compromised. However, many of the passwords were roughly a decade old and must have resulted from a data breach earlier than that. Of those affected, it appeared the scammers had no compromising information.

Then in September 2018, USA Today reported on another similar scam were again a password was given as evidence to prove compromise and the email claiming,

“while you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account and email account.”

Sensing a pattern? Then in October PC Mag published another article detailing another such scam. In this instance, millions of emails were sent to recipients last month in a variety of languages including English, French, Japanese and Arabic and again it was proven that the hackers did not have the kind of access they mention in the email to the victim's computer. In these instances, researchers insist that the user should not click any links or open attachments to verify the sender’s claims.

Instances Were the Compromising Material is Evident

Most of the above article is dedicated to scams without access to compromising material be it video or image, but what of scams that do? Such scams do exist and have affected users of dating apps such a Tinder or Grinder. Often the victim sends an image of themselves in a compromised position in the hope that the receiver will send a similar image back, all at the scammer’s behest. The victim is then blackmailed and payment must be made or the image is made public. To initiate the scam scammer create fake profiles using real images they stole from real people.

To that extent, the Federal Bureau of Investigation (FBI) advices users to:

Never send compromising images of yourself to anyone, no matter who they are or whom they say they are.

Do not open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.

Turn off, or simply cover, any web cameras when you are not using them.